Consultations to update the Regulatory Technical Standard (RTS)

Consultations to discuss possible amendments to the Regulatory Technicals Standards (RTS) which could mean big news for PSD2 exemptions.

Patrick Drexler

VP of DACH and Friendly Fraud

29 November 2021


6 min read

In our many Payment Services Directive (PSD2) updates, we highlight how the implementation is heralding positive results in decreasing fraud rates. This is great news. However, we also stress how transaction declines and customer conversions remain a problem for Payment Services Providers (PSPs), with the main area of friction being SCA (Strong Customer Authentication). Now just a few months later, the European Banking Authority (EBA) has held public consultations to update the Regulatory Technical Standards (RTS) where PSD2 exemptions are concerned - some financial institutes have not taken advantage of exemptions, choosing instead to require intrusive SCA for every transaction.

Not all financial institutions have taken advantage of PSD2 exemptions

PSD2 exemptions are defined based on the level of risk, the payment amount being processed, recurrence and the channel used for the execution of a payment. These exemptions allow PSPs to achieve the right balance between the convenience of the payment experience and fraud reduction.

Article 10 of the Regulatory Technical Standards provides an exemption from the application of SCA when a customer accesses limited payment account information, provided that SCA is applied during the first access attempt and at least every 90 days thereafter. When developing the RTS, the EBA introduced this exemption as without it, the requirement set out in PSD2 would have required SCA to be applied for every single access. This would have undermined the viability of account information services (AISs) that the PSD2 has sought to promote as a new innovative service in the EU.

However, the experience gained in the first years of the application of the RTS has shown that with regard to this particular exemption in Article 10, the voluntary nature of the exemption has led to various approaches to its application, with some ASPSPs (Account Servicing Payment Service Provider, such as banks and other financial institutions dealing with payments) requesting SCA every 90-days, others at shorter time intervals, whilst a third group of ASPSPs have not applied for the exemption at all and request SCA for every account access. Can you imagine the customer frustration experienced and the effects it may have?

90-day SCA exemptions to be extended to 180-days and become mandatory

In an attempt to improve the situation, the EBA published a consultation paper in October 2021 explaining how ASPSPs have not taken advantage of exemptions that would help to ensure a positive customer user experience (UX). It seems that by not adhering to perfectly acceptable exemptions, the very reason for PSD2 (to improve the customer UX) has been undermined. Therefore, in November 2021, a public consultation period, along with a public hearing (November 11) was held in order to discuss amendments to the RTS on SCA and Secure Communication (CSC) and make it less obtrusive for account information service providers (AISP) to verify user data. The stated aim is to promote user-friendly services and make exemptions mandatory, extending them from 90 to 180 days. It is important to note, the EBA does not have the legal means to change anything following consultations, however, amending the RTS will be finalised and submitted to the EU Commission for endorsement.

One of the backbones of Open Banking and PSD2, AISs enable businesses and institutions to share their data with other financial providers, banks, and Third Party Providers (TPPs). Under PSD2, all ASPSPs in Europe are required to participate in open banking and provide access to the data. The sharing of information, in theory, is to make customer transactions much easier, quicker and safer to perform, but in practice, although fraud levels have decreased, the means and methods used by various institutions have varied, ranging from ineffective fraud prevention solutions, to simply not adhering to the new directive through lack of full understanding.

Effective cooperation between financial institutions and fintech companies is key

Since January 2018, the EU Payment Services Directive PSD2 has demanded that banks allow customers to decide for themselves which providers they want to make their account information available to – and banks must create the technical conditions for access in the form of banking APIs (application programme interface). This has created a new dynamic of innovation in the financial world. New banking services can improve the customer experience and strengthen competition – many services only become feasible with the solutions developed by AISP. In this respect, PSD2 provides a vibrant FinTech ecosystem of new apps and services powered by AISPs. Nethone is one such company.

We frequently highlight how frictionless payment experiences can be achieved using Transaction Risk Analysis (TRA) exemptions for merchants, making use of advanced behavioral biometrics and digital fingerprinting backed up by machine learning (ML) models to improve SCA. This exemption is not truly an exemption, as SCA is performed for every transaction, running quietly in the background and in real-time, unnoticed by customers. If ASPSPs chose to perform SCA every time, advanced fintech solutions would have allowed them to do so without frustrating customers. The role of fintech companies to bridge the gap between customers, merchants and ASPSPs has not been fully utilised by numerous players. There is still a lack of cooperation between them, partly down to lack of understanding about how to best implement PSD2 in practice.

Frictionless SCA experiences are possible with machine mearning (ML) models

This is where fintech companies such as Nethone become prominent players in aiding the authentication process, bridging the gap between PSPs, banks and fintech companies, in order to provide a frictionless experience for customers using a range of sophisticated tools. Advanced fraud solutions based on digital fingerprinting, behavioral biometrics, all backed up by advanced Machine Learning (ML) models perform immensely well in real-world applications, effectively performing SCA in an unobtrusive way, unseen by the customer. This satisfies the needs of financial institutes and merchants vying to process payments and user data for authentication purposes while improving the security of payments and protecting customers. The answer to solving many of the teething problems of PSD2 implementation has been available through fintech companies such as Nethone for some time now - of course, regulations play their part too, but it still seems cooperation and education are key parts of the process.

If you are interested in how PSD2 exemptions and regulatory technical standards (RTS) apply to your business, we are here to help you with an advanced fraud solution that ensures a frictionless UX for your customers. Let's talk - click 'book a call' at the top of this page or contact Patrick directly via email at or via LinkedIn.

Ready to detect fraud just like Azul?

Ready to detect fraud just like Azul?

Start measuring fraud attacks today and find out if there are bots attacking your site. Arrange a call to discuss a tailored solution or explore our platform for free.

Book a call